CVE-2026-23455

CRITICAL 9.1

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Apr 3, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new critical vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Linux / Linux

5e35941d990123f155b02d5663e51a24f816b6f3 < 2121f5fbe88daff0f1fc5bc47d359426c74b86b0 5e35941d990123f155b02d5663e51a24f816b6f3 < 65fa92f79677858b14b9e4b7275f26639afe2710 5e35941d990123f155b02d5663e51a24f816b6f3 < 495e97af9e7249ee02b72bb1d0848a6efc3700f4 5e35941d990123f155b02d5663e51a24f816b6f3 < f5e4f4e4cdb75ec36802059a94195a31f193da60 5e35941d990123f155b02d5663e51a24f816b6f3 < 633e8f87dad32263f6a57dccdb873f042c062111 5e35941d990123f155b02d5663e51a24f816b6f3 < 9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8 5e35941d990123f155b02d5663e51a24f816b6f3 < b652b05d51003ac074b912684f9ec7486231717b 5e35941d990123f155b02d5663e51a24f816b6f3 < f173d0f4c0f689173f8cdac79991043a4a89bf66

Linux / Linux

2.6.17

References

NVD ↗ CVE.org ↗ EPSS Data ↗